Information Technology Services Security Incidence Response

08:15:03 Information Technology Services Security Incidence Response

1. Introduction:

   1. College-owned or operated computing resources (hardware/software) and data (all formats) are provided for use by faculty, students and staff of Chattanooga State Community. This document constitutes the policy for the management of a security incident response for all computer resources and data institutional losses. This policy is intended to be an addition to existing college policies and regulations and does not alter or modify any existing college policy or regulation. This policy is to be used in conjunction with ChSCC 05:12:01 Sensitive Equipment Policy http://catalog.chattanoogastate.edu/content.php?catoid=5&navoid=310.

2. Purpose:

   1. The policy establishes guidelines for security incident response and reporting concerning all college-owned or operated computer hardware and software, computer network access and usage, Internet and email usage, security and privacy of data, including all formats of data storage including hard copy, files, records, hard drives, thumb drives, etc.  This document is to inform all users of the policies set forth by the College, in compliance with the Tennessee Board of Regents, and the State of Tennessee. Part of this purpose is also to provide preventative action recommendations to prevent future incidents from taking place.

3. Scope:

   1. The scope of this policy includes all ChSCC staff (including contractors and student workers), faculty, students, authorized users, contractors and visitors that have access to College facilities, computing resources or College data. The scope also includes all data created and maintained by the College, (i.e. student, research, financial, payroll/personnel, etc.), regardless of the medium on which it resides (e.g., paper, fiche, in electronic form on tape, cartridge, disk, CD-ROM, or hard drive, etc.) and regardless of form (e.g., text, graphics, video, voice, etc.) Included in the scope are all computer systems owned, leased or maintained by the College. This includes:  desktops, any mobile device, servers, various peripheral equipment including, but not limited to, printers and copiers; and all Web pages and applications contained on College equipment or disseminated via College resources.  
   2. Users and/or administrators at all levels of staff and faculty should be aware of the risks and exposures inherent in their areas of responsibility and should establish and maintain proper internal controls to provide for the security and accountability of all IT assets and other computer resources entrusted to them, as required by ChSCC Information Technology’s Policies 08:14 Technology Responsible Use, 08:13 Computer Passwords2) and 3) 08:16 Data Security policies, and other policies as necessary. Use of ChSCC sensitive data, even when carried out on a privately owned computer that is not managed or maintained by ChSCC, is governed by this policy.

4. Initial Incident Investigation Response:

   1. When an incident of fraud, waste, abuse and/or loss of information technology resources is suspected, the Chattanooga State IT Security Officer should be notified as soon as possible. If the possible loss of sensitive data is suspected, notification must happen as soon as possible on the same business day of detection. The IT Security Officer is responsible for discussion with ChSCC Security Policy and for taking the following actions for all Category A equipment, data, etc.,(see ChSCC 05:12:01 Sensitive Equipment Policy:
   2. Immediately notify PC Services to take possession of equipment, etc., that needs to be controlled pending for further investigation.
   3. Activate the Security Incident Team (VP Council). Contact the Assistant VP of Information Technology Services, Vice President of Technology, VP of Business and Finance, Student Services VP (if required), ChSCC Auditor Office and the area of incident VP to notify them of possible incident.
   4. Make a preliminary investigation to identify known facts. The reporting individual and their supervisor will be part of this preliminary investigation.
   5. Activate the College’s Technical Investigation Team to determine possible impacts due to the type of incident. Members of this team will include those individuals with technical skills that can properly evaluate the situation.

5. Incident Response Actions:

   1. As soon as possible after initial investigation is completed, the IT Security Officer will follow TBR Guideline B-80 Reporting and Resolution of Institutional Losses https://policies.tbr.edu/guidelines/reporting-and-resolution-institutional-losses.  

6. Initial Determination:

   1. The Security Incident Team will make initial determination, based on TBR 4:01:05:50 Preventing and Reporting Fraud, Waste or Abuse and TBR Guideline B-080 on whether an official incident response report to TBR is required and if FERPA and/or other sensitive data loss require customer/student notification under Tennessee Code, Title 47 Chapter 18, and Part 21. Because such reports of issues are confidential, they should only be shared on a need-to-know basis.

7. Required Actions:

   1. Based on this determination the Security Incident Team will take the following actions, as necessary and recommend to the Executive Council either that:
      1. A department official or other supervisor who receives notice of known or suspected fraud, waste or abuse must immediately report the incident to the following:
      2. The President/VP/TCAT Director or designee receiving such notice will immediately notify the TBR Vice Chancellor for Business and Finance and the System-wide Chief Audit Executive regarding the acknowledged or suspected fraud or misconduct.
      3. TCAT Directors should also report such matters to the Vice Chancellor for Tennessee Colleges of Applied Technology and the Lead Institution Vice President for Business and Finance.
      4. The System-wide Chief Audit Executive will notify the Comptroller of the Treasury of instances of fraud, waste or abuse.
      5. After initial notification, each institution should refer to TBR Guideline B-080, Reporting and Resolution of Institutional Losses, for additional reporting procedures.
      6. If customer/student notification, due to loss of FERPA and/or other sensitive data, is required and the Incident Security Team’s recommendation is agreed with, the College President and other individuals are notified immediately as required by TBR 4:01:05:50 Preventing and Reporting Fraud, Waste or Abuse TBR Guideline B-080.
      7. Any official of any agency of the state having knowledge that a theft, forgery, credit card fraud, or any other act of unlawful or unauthorized taking, or abuse of, public money, property, or services, or other shortages of public funds has occurred shall report the information immediately to the office of the Comptroller of the Treasury (T.C.A. § 8-19-501(a)). https://policies.tbr.edu/policies/preventing-and-reporting-fraud-waste-or-abuse.
      8. Because such reports of issues are confidential, they should only be shared on a need-to-know basis.   Currently any data breach issues will need to be reported to: Tammy Birchett and Linda Ciprich. Tammy.birchett@tbr.edu and Linda.ciprich@tbr.edu

8. Impact to Others:

   1. Customers/students impacted by loss of data are notified as required by Tennessee Code, Title 47 Chapter 18, Part 21. The Vice President of Student Affairs will be responsible for ensuring that written notices are prepared and mailed as required. http://www.dwt.com/files/uploads/documents/Publications/Tennessee%20Security%20Breach.pdf.

9. Required Forms/Reports:

   1. The IT Security Officer with guidance and assistance from the Security Incident Team prepares all required forms and reports and ensures required notifications are completed as directed by the VP Council.

10. ChSCC Point of Contact:

    1. Point of Contact: The IT Security Officer and/or ChSCC Chief of Police will act as POC for the college as far as incident response process requires and will be responsible for ensuring communication is provided at all times with all required College individuals. All responses to the media and outside agencies not involved in the required reporting will be handled through the Office of the President.

11. Incident Closure:

    1. Once the incident has been handled as required, the Security Incident Team prepares a “Lessons Learned” document for Executive Council review and takes actions as directed to prevent future re-occurrences

References:

1. State of Tennessee Department of Finance and Administration Office/Office for Information Resources Aug 2007/2008
2. Tennessee Code Annotated Title 47, Chapter 18, Part 21
3. Tennessee Board of Regents (TBR) Information Technology Policy B-080
4. ChSCC 05:21:01 Sensitive Equipment Policy

Approved by:

Executive  Staff

Approved by:

President’s Council

Approved:

President        8/25/2016                                                                                                                                                  

Implemented by: Computer Services, 9/30/08
Reviewed and Revised by: Computer Services, 3/27/09 rev 1                                                                                       

Reviewed and Revised by: Computer Services, 12/1/2011 No Changes                                                                                  

Reviewed and  Revised by: Computer Services 12/1/2012 rev 2                                                                              

Reviewed and Revised by:   Information Technology Services 12/20/2013 No Changes

Reviewed and Revised by: Information Technology Services 02/15/2016 Rev 3                                                          

Revision 3 Changes

Pages All. Change made from Computer Services to Information Technology Services.

Page 1. Introduction. Rewrote entire section. Added ChSCC 05:21:01 Sensitive Equipment Policy link.

Page 2 Section 4 added statement, “Immediately notify PC Services….”

Page 2 Section 7.Required Actions. Rewrote entire section. Added comptroller notification.